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^ . Abstract 

D ' We introduce the use of Fourier analysis on lattices as an integral part of a lattice based 

construction. The tools we develop provide an elegant description of certain Gaussian distri- 
OO I butions around lattice points. Our results include two cryptographic constructions which are 

based on the worst-case hardness of the unique shortest vector problem. The main result is a 
new public key cryptosystem whose security guarantee is considerably stronger than previous 
' results {0{n^'^) instead of 0(n^)). This provides the first alternative to Ajtai and Dwork's 

. original 1996 cryptosystem. Our second result is a family of collision resistant hash functions 

jyp^ I which, apart from improving the security in terms of the unique shortest vector problem, is also 

the first example of an analysis which is not based on Ajtai's iterative step. Surprisingly, both 
results are derived from one theorem which presents two indistinguishable distributions on the 
segment [0, 1). It seems that this theorem can have further applications and as an example we 
mention how it can be used to solve an open problem related to quantum computation. 
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Cryptographic constructions based on lattices have attracted considerable interest in recent years. 
The main reason is that, unlike many other cryptographic constructions, lattice based constructions 
O ■ can be based on the worst-case hardness of a problem. That is, breaking them would imply a 
solution to any instance of a certain lattice problem. In this paper we will be interested in the 
^ , unique shortest vector problem (uSVP), a lattice problem which is believed to be hard: we are 
H ' asked to find the shortest vector in an n-dimensional lattice with the promise that it is shorter by a 
factor of than all other non-parallel vectors. Hence, the problem becomes harder as c decreases. 
The results in this field can be divided into two types. The first includes public key cryptosystems 
and the second includes families of collision resistant hash functions. 

The only previously known public key cryptosystem based on a worst-case lattice problem 
is the one due to Ajtai and Dwork which appeared in 1996. They presented a public key 
cryptosystem based on the worst-case hardness of 0(n^)-uSVP. Then, in Goldreich, Goldwasser 
and Halevi showed how to eliminate decryption errors that existed in the original scheme. They 
also improved the security to 0(n'^)-uSVP. Although there are other lattice based cryptosystems 
(see, e.g., pi IIUI IT^ ). none of them is based on the worst-case hardness of a lattice problem. Our 
main result is a new public key cryptosystem whose security is based on 0(n^'^)-uSVP. 

*EECS Department, UC Berkeley, Berkeley, CA 94720. Email: odedr@cs.berkeley.edu. Most of this work was 
done while the author was at the Institute for Advanced Study, Princeton, NJ. Work supported by the Army Research 
Office grant DAAD 19-03- 1-0082 and NSF grant CCR-9987845. 
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In pP, Ajtai presented a family of one-way hash functions based on the worst-case hardness of 
several lattice problems. In terms of the uSVP, it was based on the hardness of 0(n'^)-uSVP. The 
constant c was not explicitly specified but later it was noted to be c = 19 In 0, it was shown 
that under the same assumptions one can obtain a family of collision resistant hash functions. 
This is a stronger primitive than a one-way function with many uses in cryptography. Cai and 
Nerurkar |5] improved the exponent to c = 9 -|- e and later, by providing an improved analysis, Cai 
[3] obtained c = 4 + e. These papers also showed how to base the security of the hash function on 
other lattice problems which are potentially harder than uSVP (e.g., GapSVP and GapSIVP). In 
jl5j , Micciancio recently constructed a family of hash functions with the best known constant c for 
several important lattice problems (but not for uSVP). In another paper ^], Micciancio improved 
the efficiency of the hash function by using cyclic lattices. Roughly speaking, all of these results 
are based on variations of a method known as Ajtai's iterative step. 

Our contribution 

The main contribution of this paper is the introduction of Fourier analysis on lattices as an inte- 
gral part of a lattice based construction. Fourier analysis was previously used indirectly through 
transference theorems, i.e., theorems that relate properties of a lattice and its dual (see, e.g., 
Our constructions are the first to use Fourier analysis directly. 

Our main theorem is a reduction from the 0(n^'^)-uSVP to the problem of distinguishing 
between two types of distributions on the segment [0, 1). We believe that this theorem will find 
other uses in the future. 

Using the main theorem, we present three results. The main one is a new public key cryp- 
tosystem which is based on the hardness of 0(n^'^)-uSVP. This is a major improvement to the 
1996 cryptosystem by Ajtai and Dwork. Its description is surprising in that it essentially consists 
only of numbers modulo some large number N. Our second result is a family of collision resistant 
hash functions whose security is based on the 0(n^'^)-uSVP. In terms of the uSVP, this improves 
all the previous results mentioned above. However, previous results were not based only on uSVP 
and are therefore incomparable with our result. In addition, ours is the first lattice based hash 
function whose analysis is not based on Ajtai's iterative step. The hash function that we consider 
is simple and is known as the modular subset sum function^. This function already appeared in 
previous papers; for example, one of the results in is an average-case to average-case reduction 
for the function. The third result is related to an open question in quantum computation and will 
be discussed in Section [7J 

Intuitive overview 

In the following we provide an informal overview of the results in this paper. Many of the details 
are omitted for the sake of clarity. 

Main theorem: Our main theorem is a reduction from 0(n^'^)-uSVP to the problem of distin- 
guishing between two types of distributions on [0, 1). One distribution is the uniform distribution U 
while the other is concentrated around integer multiples of 1 /h for some unknown large integer 

^Previous constructions of hash functions were usuaUy presented as functions on random lattices. However, most 
of these results can be easily extended to the modular subset sum function. This was already noted in Ajtai's original 
paper ([I]). 



2 



h < 2'^("') (notice that if we knew h we could easily distinguish between the two). The sharpness 
of the concentration in this 'wavy' distribution depends on the factor of the uSVP problem. For 
example, 0(n^'^)-uSVP translates to a concentration of around 1/n, that is, the difference between 
two adjacent peaks is roughly n times the width of a peak (see Figure Notice that the reduction 
is to a worst-case problem in the sense that one has to distinguish between the uniform distribution 
and the wavy distribution for all values /i in a certain range. Nevertheless, the wavy distribution 
has the property that if one distinguishes it from uniform for some small fraction of h then one can 
also distinguish it from uniform for all values of h. This average-case to worst-case property will 
be implicit in our cryptographic applications. In the following we describe the three steps in the 
proof of the main theorem. 

The first step involves a reduction from the search problem uSVP to a certain decision problem 
on lattices. Assume that the shortest vector is Y17=i ^i'^i where ai ^ "L and t"!, . . . ,f„ is a basis 
of the lattice. The decision problem asks whether p \ Oj where p is some prime number which we 
choose to be slightly more than n^'^. The reduction is a Cook reduction and the idea is to make the 
lattice sparser and sparser without losing the shortest vector. At the end, the lattice is so sparse 
that we can easily find the shortest vector. For example, when p | Oj we can replace Vi with p ■ Vi 
without losing the shortest vector. The actual proof is slightly more involved as we have to handle 
cases where p\ ai. 

The second step is the core of the proof. Here, we reduce the above decision problem to a 
problem of distinguishing between two n-dimensional distributions. Namely, one distribution is 
uniform and the other is a 'wavy' distribution. We begin by developing a few lemmas based on a 
theorem of Banaszczyk. Essentially, this theorem says that if we choose a 'random' lattice point 
from the dual L* of a lattice and perturb it by a Gaussian of radius ^/n then the distribution 
obtained can be closely approximated by a function that depends only on points in L (the primal 
lattice) that are within distance y/n of the origin. We apply this theorem for two types of lattices 
L. The first is a lattice L where all nonzero vectors are of length more than ^/n. Here we get that 
the distribution around points of L* is determined only by the origin of the primal lattice and is 
therefore very close to being uniform. The second type is a lattice with one short vector u of length 
(say) 1/n and all other non-parallel vectors of length more than ^/n. The distribution that we 
obtain here is almost uniform on n — 1 dimensional hyperplanes orthogonal to u. In the direction 
of u the distribution has peaks of distance n such that the width of each peak is 1. The way we 
use these results is the following. Recall that we are given an n^'^-unique lattice and we should 
decide whether p \ a^. We do this by first scaling the lattice so that the length of the shortest 
vector is 1/n and therefore all non-parallel vectors are of length more than n^'^/n = y/n. We then 
multiply Vi by p. If p | then the shortest vector remains in the lattice and therefore if we take 
the distribution in the dual lattice we get a wavy distribution as described above. Otherwise, if 
p\ ai, the shortest vector disappears and since p > n^-^ the resulting lattice has no vectors shorter 
than ^/n. Therefore, the distribution obtained in the dual is very close to uniform. 

The third and final step consists of 'projecting' the n-dimensional distributions described above 
onto a one-dimensional distribution. Naively, one can choose a point according to the n-dimensional 
distribution and project it down to a line. However, this would ruin the original distribution. We 
would like to project down to a line but only from tiny areas around the line. This would guarantee 
that the original distribution is preserved. This, however, presents a new difficulty: how can one 
guarantee that a randomly selected point according to the distribution in M"' falls close to the 
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line? We solve this by using the fact that the distribution is periodic on the lattice. Hence it 
is enough to consider the distribution on the fundamental parallelepiped of the lattice. Now we 
can draw a line that passes through the parallelepiped many times and that is therefore 'dense' in 
the n-dimensional space inside the parallelepiped (see Figure I^J- Projecting the two n-dimensional 
distributions above will produce either the uniform distribution U or the wavy distribution for 
some h. This completes the description of the main theorem. 

Public key cryptosystem: Let be some large integer. The private key consists of a single 
integer h chosen randomly in the range (say) [^/N, The public key consists of m = 0(log N) 

numbers ai, . . . , am in {0, 1, . . . , — 1} which are 'close' to integer multiples of N/h (notice that h 
doesn't necessarily divide A^). We also include in the public key an index iq G [m] such that a^^ is 
close to an odd multiple of N/h. We encrypt one bit at a time. An encryption of the bit is the 
sum of a random subset of {oi, . . . , a^} modulo A^. An encryption of the bit 1 is similar but we 
add [aig/2j to the result. On receiving an encrypted word w we consider its remainder on division 
by N/h. If it is small, we decrypt and otherwise we decrypt 1. Notice that since oi, . . . are 
all close to integer multiples of N/h any encryption of is also close to a multiple of N/h and the 
decryption is correct. Similarly, since [ai(,/2j is far from a multiple of N/h^ encryptions of 1 are 
also far from multiples of N/h and the decryption is 1. 

The following is a rough description of how we establish the security of the cryptosystem. 
Assume that there exists a distinguisher A that given the public key can distinguish encryptions of 
from encryptions of 1. In other words, the difference between the acceptance probabilities pq on 
encryptions of and the acceptance probability p\ on encryptions of 1 is non-negligible. Therefore, 
if pu is the acceptance probability on random words it must be the case that either \pu — Po\ or 
\Pu —pi\ is non-negligible. Assume that the former case holds (the latter case is similar). Then we 
construct a distinguisher between the distributions U and T/^. Let R be the unknown distribution 
on [0, 1). We choose m values from i?, multiply them by A^ and round the result. Let ai, . . . ,am 
be the result. We then estimate ^'s acceptance probability when the public key ai, . . . ,0^ (for 
simplicity we ignore iq) is fixed and the word w is chosen randomly as an encryption of 0. This 
is done by simply calling A many times, each time with a new w computed according to the 
encryption algorithm. We also estimate ^'s acceptance probability when w is chosen uniformly 
from {0, 1, . . . , A^ — 1} and not according to the encryption algorithm. If there is a non-negligible 
difference between the two estimates, we decide that R is and otherwise we say that R is U . 
We claim that this distinguishes between U and T^. If i? is C/ then ai,...,am are uniform in 
{0,1,...,A^ — 1}. One can show that this implies that the distribution of encryptions of is very 
close to the uniform distribution and therefore A (as well as any other algorithm) cannot have 
different acceptance probabilities for the two distributions. Otherwise, R is Th and the distribution 
that we obtain on ai, . . . , is the same one that is used in the public key algorithm. Therefore, 
according to our hypothesis, A should have a non- negligible difference between the two cases. 

A family of collision resistant hash functions: We choose m = 0(log A^) random numbers 
ai, . . . ,am uniformly from {0, 1, . . . , A^ — 1} and define the hash function f(b) = 1 hai mod A^ 
where b E {0, 1}™. A collision finding algorithm in this case means an algorithm A that given 
random ai, . . . , am finds with non-negligible probability a nonzero vector b G { — 1, 0, l}'" such that 

biai = O(mod A^). Using A we show how to build a distinguisher between U and T^- By trying 
many values of the form {1 + 1/ poly {m))^ we can have an estimate /i of /i up to some small l/poly{m) 
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error. We would like to use h to check if the distribution is concentrated around multiples of ^. 
Sampling values from the unknown distribution R and reducing modulo 1/h does not help because 
the difference between i/h and i/h is much larger than 1/h for almost a\l < i < h (recall that 
h is roughly \/iV which is exponential in m). The idea is to use the collision finding algorithm to 
create from a distribution which is also concentrated around the peaks i ■ ^ but only for i < m. 

We sample m values xi, . . . , Xm from the unknown distribution R. We add small perturbations 
Ui, . . . ,ym chosen uniformly in [0, 1/h) to each xi, . . . ,Xm respectively. We denote the result by 
zi, . . . ,Zm- Now we call A with [N ■ zi\, . . . , [N ■ Zm\ and we get a subset S such that X^jg5 Zi mod 1 
is very close to zero. For simplicity assume that it is exactly zero. We then check if Y2i£S ^« ™od 1 = 
— Ylies yi ^o*^ 1 is close to an integer multiple of If -R is the uniform distribution on [0, 1) then 
conditioned on Bny values of . . . ^ z^^i the distribution of yi, . . . , ym is stih uniform in [0, 1/h) and 
hence Ylies ^s not close to an integer multiple of 1/h. If i? is Th then conditioned on any values 

01 zi, . . . , Zm, the Xj's are distributed around one or two peaks of T^. Therefore, Yli&s ^« ™od 1 is 
close to a multiple of ^. Moreover, since the y^'s are at most 1/h, their sum is at most m/h. Since 
the estimate h satisfies that for 1 < i < m, i/h is very close to i/h, the distinguisher can reduce 
Yli£s modulo 1/h and see that it is close to a multiple of 1/h, as required. 

One last issue that we have to address is that A might not find collisions on inputs of the form 
[N ■ zi\, . . . , [N ■ Zm\ when R is not the uniform distribution. This is because our assumption was 
that A finds collisions on inputs chosen uniformly. But if A does not find collisions we know that 
R has to be and hence we can still distinguish between U and T^. 

Outline 

In Section |^ we list several definitions and some properties of lattices that will be needed in this 
paper (for an introduction to lattices see JH])- After defining several distributions in Section we 
present the two cryptographic constructions in Section|21 The main theorem is developed in Section 
1^ The analysis of the public key cryptosystem is in Section El and that of the hash function is in 
Section El In Section E| we present a solution to an open problem related to quantum computation. 
Several technical claims appear in Appendix [SI 

2 Preliminaries 

A lattice in M" is defined as the set of all integer combinations of n linearly independent vectors. 
This set of vectors is known as a basis of the lattice and is not unique. Given a basis (vi, . . . , Vn) 
of a lattice L, the fundamental parallelepiped is defined as 

n 

V{vi,. ..,Vn) = (^XiVi I Xi £ [0, 1)}. 

i=l 

When the basis is clear from the context we will use the notation V{L) instead of V{vi, . . . ,Vn)- 
Note that a lattice has a different fundamental parallelepiped for each possible basis. We denote 
by d{L) the volume of the fundamental parallelepiped of L or equivalently, the determinant of the 
matrix B whose columns are the basis vectors of the lattice. The point x G M" reduced modulo 
the parallelepiped 'P{vi, . . . , u„) is the unique point y G P(t'i, . . . , Vn) such that y — x is an integer 
combination of vi,. . . ,Vn (see, e.g., |13j). The dual of a lattice L in M", denoted L*, is the set of 
all vectors y G M"' such that {x,y) G Z for all vectors x £ L. Similarly, given a basis {vi, . . . ,Vn) 
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of lattice, we define the dual basis as the set of vectors {v^, . . . ,v^) such that {vi, v*) = 5ij for all 
i,j S [n]. Note that if i? = (ui, . . . ,Vn) is the n x n matrix whose columns are the basis vectors 
then {B^)~^ contains the dual basis as its columns. From this it follows that d{L*) = l/d{L). 

We say that a lattice is unique if its shortest vector is strictly shorter than all other non-parallel 
vectors. Moreover, a lattice is f{n) -unique if the shortest vector is shorter by a factor of at least 
/(n) from all non-parallel vectors. In the shortest vector problem we are interested in finding the 
shortest vector in a lattice. In this paper we will be interested in the /(n)-unique shortest vector 
problem (/(n)-uSVP) where in addition, we are promised that the lattice is /(n)-unique. Let A(-L) 
denote the length of the shortest nonzero vector in the lattice L. We also denote the shortest vector 
(or one of the shortest vectors) by r(L). Most of the lattices that appear is this paper are unique 
lattices and in these cases r(L) is unique up to sign. 

One particularly useful type of basis is an LLL reduced basis. Such a basis can be found in 
polynomial time Hence, we will often assume without loss of generality that lattices are given 
by an LLL reduced basis. The properties of LLL reduced bases that we use are summarized in 
Claim rOl 

We define a negligible amount as an amount which is asymptotically smaller than n^^ for any 
constant c > 0. The parameter n will indicate the input size. Similarly, a non-negligible amount 
is one which is at least n~'^ for some c > 0. Finally, exponentially small means an expression that 
is at most 2~^^"'\ We say that an algorithm A with oracle access is a distinguisher between two 
distributions if its acceptance probability when the oracle outputs samples of the first distribution 
and its acceptance probability when the oracle outputs samples of the second distribution differ by 
a non-negligible amount. Note that the notion of acceptance is used for convenience. In addition, 
an algorithm A is said to distinguish between the distribution T and the set of distribution T if 
for any distribution T' £ T, A distinguishes between T and T' . 

For two continuous random variables X and Y having values in [0, 1) with density functions Ti 
and T2 respectively we define their statistical difference as 



^ Jo 

A similar definition holds for discrete random variables. One important fact that we use is that 
the statistical distance cannot increase by applying a (possibly randomized) function /, i.e.. 



see, e.g., jl6j . In particular, this implies that the acceptance probability of any algorithm on inputs 
from X differs from its acceptance probability on inputs from Y by at most A{X,Y). 

The set {1,2, ... ,n} is denoted by [n]. All logarithms are of base 2 unless otherwise specified. 
We use 6ij to denote the Kronecker delta, i.e., 1 if z — j and otherwise. We use c to denote an 
unspecified constant. That is, whenever c appears we can replace it with some universal constant. 
For example, the expression c + 7 = c is true because we can substitute 1 and 8 for the constants. 
Other constants will be denoted by c with a letter as the subscript, e.g., Ch. 

For two real numbers x,y > we define x mod y as x — [x/y\y. For x S M we define [x] as 
the integer nearest to x or, in case two such integers exist, the smaller of the two. We also use the 
notation frc(x) := \x — [x] |, i.e., the distance of a real x to the nearest integer. Notice that for all 
x,y G M, < frc(x) < |, frc(x) < |x| and frc(x + y) < frc(x) -|- frc(y). 




A(/(x),/(y))< A(x,y) 



(1) 
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Recall that the normal distribution with mean and variance cr^ is the distribution on M given 
by the density function J- e~2^^^ . Also recall that the sum of two normal variables with mean 
and variances and o"! is a normal variable with mean and variance af + A simple tail 
bound on the normal distribution appears in Claim ETTl The Gaussian distribution is a distribution 
on M" obtained by taking n independent identically distributed normal random variables as the 
coordinates. We define the standard Gaussian distribution as the distribution obtained when each 
of the normal random variables has standard deviation l/\/27r. In other words, a standard Gaussian 

II ||2 

distribution is given by the density function e~'^"^'' on M". 

For clarity, we present some of our reductions in a model which allows operations on real 
numbers. It is possible to modify them in a straightforward way so that they operate in a model that 
approximates real numbers up to an error of 2^"^" for arbitrary large constant c in time polynomial 
in n. Therefore, if we say that two continuous distributions on [0, 1) are indistinguishable (in the 
real model) then for any c > discretizing the distributions up to error 2""'' for any c yields two 
indistinguishable distributions. 



2.1 Several Distributions 

We define several useful distributions on the segment [0,1). The distribution U is simply the 
uniform distribution with the density function U{r) = 1. For (3 S R"*" the distribution is a 
normal distribution with mean and variance ^ reduced modulo 1 (i.e., a periodization of the 
normal distribution): 

k=—oo 

Clearly, one can efficiently sample from Qp hy sampling a normal variable and reducing the result 
modulo 1. Another distribution is Th^/s where /i G N and /3 G M"^ (see Figure Its density function 
is defined as 



oo 



fc=-oo 

By adding a normalization factor we can extend the definition of Th^p to non-integer h. So in 
general, 

Jo Qp[xh mod Ijox 

For a real > 0, choosing a value z G [0, 1) according to T^^p can be done as follows. First choose 
a value x G {0, 1, . . . , [/i] — 1} and then choose a value y according to Qp. If < 1 then return it 
as the result. Otherwise, repeat the process again. It is easy to see that the distribution obtained 
is indeed T}^^ and that the process is efficient for (say) /i > 1. 
We also define the following set of distributions: 

rn,g := \hGN, h< 2'^- , P G [-,4-)} 

5 9 

where cy, is a constant specified in Lemma 14.91 
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Figure 1: T4,o.05, TV.o.os and T4,o.02 

3 Cryptographic Constructions 

For a security parameter n, let be 2'^^"^ and let m be Cmin? where cm and Cm are two constants 
which will be specified later. Let 7(72) = uj{nyJ\ogn), i.e., any function that satisfies ^ jj"^ ^ 00 
as n goes to infinity. The smaller the function, the better the security guarantee becomes. For 
concreteness, one can choose 7(n) = nlogn. We also assume that 7(n) < n^'^ for some constant 
> 0. 

Public Key Encryption 

• Private key: Let H = {h £ [\^,2VN) \ irc{h) < j^}- Choose h £ H uniformly at 
random. Let d denote ^. The private key is the number h. 

• Public Key: Choose /3 G [^ (^(n))^ ' ^ (7("))^ ^ uniformly at random. We choose m values 
Z11 ■ ■ ■ 1 Zm from Tji^f) by choosing xi, . . . , Xm and yi, . . . ,ym as described in Section 12.11 Let 
io be an index such that is odd (such an iq exists with probability exponentially close to 
1). For i G [m], let Oj denote [N ■ Zi\ . The public key is (ai, . . . , a^, «o)- 

• Encryption: In order to encrypt a bit we choose a random subset S of [m]. The encryption 
is YlieS '^i ™od if the bit is and Yli&s ^« + L~?"J ™od ^ if the bit is 1. 

• Decryption: On receiving w G {0, . . . , — 1} we decrypt if frc(^) < ^ and 1 otherwise. 

A Family of Collision Resistant Hash Functions 

• Choose m numbers ai, . . . , am uniformly in {0, 1, . . . , — 1}. The function / : {0, 1}™ 
{0, 1, . . . , A^ — 1} is defined as: 

m 

f{b) = J2 hai mod N. 

i=l 

Notice that if Cm > cn then / indeed compresses the size of the input and collisions are 
guaranteed to exist. 

4 Main Theorem 

In this section we present a reduction from (7(n)-uSVP to the problem of distinguishing between 
two types of distributions on [0, 1). 
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Theorem 4.1 Let g{n) he any function such that A^/n < g{n) < poly{n) and let cy, the constant 
specified in Lemma \4 !A If there exists a distinguisher between U and T^^g(^n) then there exists a 
solution to g{n)-uSVP. 

Proof: Let p[n) be a prime larger than g[n) and at most (say) 2g{n). We can now apply Lemmas 
14.21 14.81 and 14.91 in order to obtain the theorem. ■ 

4.1 Reduction to a Decision Problem 

We reduce the SVP to the following decision problem: 

Decision SVP with parameter p (dSVPp) 

• Input: An arbitrary basis {vi,...,Vn) of a unique lattice L and a number a such that 
A(L) < a < 2\{L) and let t(L) = Yll=i ^i'^^i be the coefficients of the shortest vector. 

• Output: YES if p divides oi, NO otherwise. 

Lemma 4.2 Let p = p(n) > 2 be a prime number which is at most polynomial in n? There exists 
a reduction from finding the shortest vector in a unique lattice L to dSVPp.^ Moreover, if L is an 
f{n) -unique lattice then all the calls to dSVP are also with an f{n) -unique lattice. 

Proof: It is convenient to have a bound on the coefficients of the shortest vector. So we assume, 
without loss of generality, that we are given a basis (vi, . . . , of L which is LLL reduced. Hence, 
by Claim IX^Sl we get that the coefficients of the shortest vector satisfy |aj| < 2^" and < 
A(i^) < ll^^ill- These are the only properties that we need from the basis and in fact, other bases 
used throughout this proof will not necessarily be LLL reduced. In the following we describe a 
procedure B{a) that finds the shortest vector given an estimate a which satisfies A(L) < a < 2\{L). 
We apply the procedure n times with a = 2-^"" • \\vi \\ for j = 1, 2, . . . , n + 1. Notice that when we 
call B with the wrong value of a it can error by either outputting a non-lattice vector or a lattice 
vector which is longer than the shortest vector. We can easily ignore these errors by checking that 
the returned vector is a lattice vector and then take the shortest one. Therefore, it is sufficient to 
show that when a satisfies \{L) < a < 2A(L), B{q) returns the shortest vector. Clearly, one can 
modify the dSVP so that it finds whether p \ Oi for any i S [n] (and not just z = 1) by simply 
changing the order of the vectors in the basis given to the dSVP. 

The procedure B is based on changes to the basis {vi,. . . ,Vn)- Throughout the procedure we 
maintain the invariant that the lattice spanned by the current basis is a sublattice of the original 
lattice and that the shortest vector is unchanged. Notice that this implies that if the original 
lattice is an /(n)-unique lattice then all intermediate lattices are also /(n)-unique and hence all 
the calls to dSVP are with an /(n)-unique lattice, as required. In addition, since the shortest 
vector is unchanged, the estimate a can be used whenever we call the dSVP with an intermediate 
lattice. The changes to the basis are meant to decrease the coefficients of the shortest vector. We 
let ai, . . . ,an denote the coefficients of the shortest vector according to the current basis. We will 
show that when the procedure ends all the coefficients of the shortest vector are zero except Oj for 

^The result holds for the case p = 2 as well with some technical differences. 

^One can guarantee the uniqueness of the shortest vector in any lattice by adding tiny perturbations to the basis 
vectors. Therefore, the assumption that L is unique can be avoided. 
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some i G [n]. This implies that the shortest vector is Vi. In the fohowing we describe a routine C 
that will later be used in B. 

The routine C{i,j) where i,j S [n] applies a sequence of changes to the basis. Only the vectors 
Vi and Vj in the basis are modified. When the routine finishes it returns the new basis and a bit. If 
the bit is zero then we are guaranteed that the coefficient of the shortest vector in the new basis 
is zero. Otherwise, the bit is one and we are guaranteed that \aj\ < ^\ai\ and that Oj is nonzero. 
In any case, the value of |aj| does not increase by C{i,j). 

The routine is composed of the following two steps. In the first step we replace Vi with p ■ Vi as 
long as the dSVP says that p \ ai and not more than 2n times. By multiplying Vi by p when p\ ai, 
we obtain a sublattice that still contains the same shortest vector. The coefficient decreases by 
a factor of p. Since we began with |aj| < 2^", if this happens 2n times then Oj = and therefore in 
this case we return the current lattice and output a zero bit. Otherwise, we are guaranteed that in 
the current lattice p\ ai. 

In the second step we consider p different bases where Vi is replaced with one of Vi—^^Vj , . . . ,Vi— 
Vj,Vi, Vi + Vj , . . . ,Vi + ^-^Vj. Notice that all p bases span the same lattice. Also note that the co- 
efficient Oj changes to Uj + ^^ai, . . . , aj + ai, aj , aj — Ui, . . . , aj — ^-^ai respectively while all other 
coefficients remain the same. Since p\ Ui, one of the bases must satisfy that p \ aj and we can find 
it by calling dSVPp. We choose that basis and then multiply vj by p. We repeat the above steps 
(of choosing one of the p bases and multiplying by p) 2n times and then output the resulting lattice 
with the bit one. With each step, the new |aj| becomes at most {^^\ai\ + \aj\)/p = — + 

Hence, after 2n applications, the new \aj\ is at most — + | + - • • + + < + 

and since aj is integer this implies \aj\ < ^\ai\. This completes the description of C. It is easy to 
check that all the numbers involved have a polynomial size representation and therefore C runs in 
polynomial time. 

The procedure B works by maintaining a set Z of possibly non-zero coefficients which is initially 
set to [n]. As long as 1^1 > 2 we perform the following operations. Assume without loss of generality 
that 1,2 £ Z. We alternatively call C(l, 2) and C{2, 1) until the bit returned in one of the calls is 
zero. This indicates that one of the coefficients is zero (either ai or 02 depending on which call 
returns the zero bit) and we remove it from the set Z. In order to show that the procedure runs in 
polynomial time, it is enough to show that an element is removed from Z after at most a polynomial 
number of steps. Notice that after each pair of calls to C that returned the bit one |ai| decreases 
by a factor of at least 4. Therefore, after at most 2n calls to C, ai becomes zero and C(l, 2) must 
return the bit zero. ■ 

Although not used in this paper, the following is an immediate corollary of the above lemma 
and might be of independent interest. Basically, it is a reduction from the search SVP to the 
decision SVP for unique lattices. It is still an open question whether a similar result holds for SVP 
on general lattices. 

Corollary 4.3 For any prime p = p{n) < poly{n) larger than 2 and any f{n) > 1, finding the 
shortest vector in an p{n)f{n) -unique lattice can he reduced to the following gap problem: given d 
and an f{n)-unique lattice, decide whether the length of the shortest vector is at most d or more 
than ^Jp{n) ■ d. 

Proof: According to Lemma 14.21 it is enough to describe a solution to dSVPp on p ■ /(n)-unique 
lattices. Say we are given the lattice L with the basis [vi, . . . , By using the gap problem we can 
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approximate A(L) and A(L') up to a factor ^ where V is the lattice spanned by (pfi, V2, • • • j v^). 
Notice that since -p- t{L) £ L', L' is an /(n)-unique lattice, as required. Say that A(L) G [di, -y/pcii] 
and A(L') e [^2, \/pc?2]- If P I oi then both lattices contain the same shortest vector and therefore 
the two ranges intersect. Otherwise, it is easy to see that r(L') = p ■ t{L) and therefore the two 
ranges do not intersect. ■ 

4.2 Gaussian Distributions on Lattices 

Let Bn denote the Euclidean unit ball and define p{A) as X^xeA ^ following lemma by 

Banaszczyk says that in any lattice L the contribution to p{L) from points of distance more than 
^/n is negligible. 

Lemma 4.4 (f5], Lemma 1.5(i) with c = 1) For any lattice L, p{L — y/nBn) < 2~^("^p(L). 

The proof of this lemma is not straightforward; a somewhat easier proof can be found in 
Stefankovic's thesis ^SJ. A simple corollary of this lemma is that p{L) < p(Ln-v/ni?„)/(l — 2~^(")). 
We will also use the following formulation of the Poisson summation formula: 

Lemma 4.5 ([3j, Lemma l.l(i) with a = n, b = 1, y = 0) For any lattice L and any vector y S 
M", p{L*+y) = d{L) . E.6Le'"*<"''^P({^})- 

For a given lattice L, we consider the distribution obtained by sampling a standard Gaussian 
centered around the origin and reducing it modulo the fundamental parallelepiped V{L*). Equiv- 
alently, we consider the following density function defined on V{L*): 

Dl'{x)= p{L* +x). 

Intuitively, we can think of Dl* as taking Gaussian distributions around 'all' points of L* . Since 
this distribution is periodic in M" with period V{L*), we simplify the analysis by choosing Dl* to 
be a restriction of the distribution to V{L*). In this section we present good approximations to 
Dl* for two types of lattices L. 

Lemma 4.6 Let L be a lattice in which all non-zero vectors are of length more than i/n and let 
Ul*{x) = ^(X*) ~ ^(-^) uniform density function on V{L*). Then, A{Dl* , Ul*) < 2~^("\ 

Proof: For any ?/ G M", 

x&L xeL\y^B„ 

p{L \ V^B^) 2-^Wp(L) 2-^W^^I^^ < 2-^(") 

where {1} and {2} are due to Lemma 14.41 and the last inequality holds because p{L n y/nBn) = 1. 
Multiplying by d{L) and using Lemma 14.51 we get, 

|d(L)-p(L* + y)|<2-^Wd(L). 

We conclude the proof by integrating over T'{L*), 

A{Dl*,Ul') < 2^^("). 
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For any vector v €z L define the density function Tl*^v on V{L*) as 

„ , , d(L) sr^ -ttCH^^I^ 

Tl*,. X =^Ee ^^^^ ■ 
\\v\\ ^ — ' 

According to Claim 1X31 it is indeed a density function. 

Lemma 4.7 Let L be a lattice with a shortest vector u in which all vectors not parallel to u are of 
length more than ^Jn. Then, A(Dl*,Tl*^u) < 2~^'-"^(l + -p^)- In particular, if \\u\\ > for some 
c> then A{Dl*,Tl*,u) < 2-^("). 

Proof: For any y G M", 

5^ pi{x}) = p{L \ V^B„) < 2-^(")p(L) f 2-^W_±_p({fc^|^ e Z}) < 

X&L\^Bn 

{3} 1 

2-^('^V({fcn|A; G Z}) < 2-^(")(l + -!-) 



where {1} and {2} are due to Lemma 14.41 and {3} is due to Claim \K72\ with x = 0. By multiplying 
by d{L) we get 

|p(L* +y) -d(L)y e2-*'=<"'S^)/,({A:n})| < 2-^(") (1 + ^) • d(L). (2) 
^-^ \\u\\ 

Consider the one dimensional lattice M spanned by the number \\u\\. Clearly, the lattice M* is 

spanned by the number tt-u. According to Lemma 14.51 for any a G M, 

ll^i 

p{M* + a) = d{M) e^^^^Vd^}) = IKII e2^*^"ll"V({M)- 
beM kez 

Therefore, taking a = {u,y)/\\u\\, 

We conclude the proof by integrating Q over V[L*): 

A(Z)L*,ri*,J<2-^(")(l + ^). 



d{L) V e2-'=<"'^)p({M) = T^P{M* + ^) = n*,u{y) 

.„ \\u\\ \\u\\ 



4.3 Two Indistinguishable Distributions 

Lemma 4.8 Let g(n) < p{n) be such that p{n) is a prime and both are at most polynomial in n. 
Solving dSVPp(^n) on g{n)-unique lattices can be reduced to the problem of distinguishing between 
Ul* and Tx,*^r{L) where L is given as an LLL reduced basis and A(L) G [^^) J^"^' 
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Proof: We are given a basis {vi, . . . ,Vn) of a g{n)-umque lattice L and a number a such that 
A(L) < a < 2A(L). Let L' be the lattice L scaled by a factor ^^^^ , i.e., the lattice spanned by the 

basis {v[, . . . , v'n) := ^^^^('Wi, • • • i Vn)- Notice that in L' the shortest vector r(L') = Yl^=i ^i^^'i is 

of length in [^^, ft^-^ ^^■^ vector not parallel to t{L') is of length at least g{n) ■ = -^/n. 
Now, let M be the lattice spanned by the basis {p{n)v[,V2, . . . , u^). If | oi then r(M) = r(L') 
and therefore its length is in [^^, ^I^-'' since M C L', any vector in M not parallel to r(M) 

is of length at least ^/n. If p(n) f ai then the shortest multiple of r(L') that is contained in M is 
f»(n) • r(L') whose length is at least p{n) ■ > \/n. Hence, in this case all non-zero vectors are of 
length at least ^/n. 

Clearly, we can take an LLL reduced basis of the lattice M without changing the properties of 
the lattice described above. Now consider the distribution Dm*- We can efficiently sample from it 
by sampling a Gaussian centered around the origin with standard deviation and reducing it 
modulo V{M*). According to Lemma 14.71 \i p{n) \ oi then the distribution is exponentially close 
to Tm''^t{m)- Oil the other hand, if p(n) \ ai. Lemma l4. 61 savs that the distribution is exponentially 
close to the uniform distribution Um*- Therefore, we can decide with non-negligible probability 
if p{n) I ai by calling an algorithm that distinguishes between Tm»^t{m) and Um*- The error 
probability can be made exponentially small by calling the algorithm a polynomial number of 
times and taking the majority. ■ 



4.4 One Dimensional Distributions 

Lemma 4.9 There exists a constant cp, such that for any g{n) > g[n) < poly{n), the problem 

of distinguishing between Ul* and Tx^*^r{L) for a lattice L given as an LLL reduced basis for which 
"^(^^ ^ ^sf^' sl^-^ reduced to the problem of distinguishing between U and Tn,g{n)- 

Proof: Let denote the LLL reduced basis of L and let be the dual basis 

of L*, i.e., a basis of L* such that {vi,v*) = 6ij. For some large integer K to be chosen later, 
consider a function / which maps a vector v = Y17=i ™ V{L*) to + ^^^r^ -|- . . . -|- 

+ ^ £ [0, 1). An equivalent way to describe / is the following. For a real r G [0, 1) let 
ri, . . . , r„_i G {0, . . . , "^^1 and r„ G [0, 1) be the unique numbers such that r = ri + ^r2 + 
• • • + j^l-i fn-i + j^i-i ^n- The set of points that are mapped to r is given by 

n ^ 

S{r) ■-= aiV* I Vi G [n - 1] Oj G [r^, rj + —] and a„ = r„}. 

i=l 

Hence, S{r) is an re — 1 dimensional parallelepiped whose diameter is at most Y17=i ll'^ill- Let w 
denote the vector + + . . . + K'^~^v^. Then, it is easy to see that for any r G [0, 1) the point 
rw reduced modulo V{L*) is contained in S{r). The line connecting the origin with w reduced 
modulo V{L*) goes through the parallelepiped K^~^ times. The mapping / essentially takes each 
point in V{L*) to a nearby point on the line (see Figure [21) • 

The reduction works by sampling a point from the given distribution on V{L*) and applying /, 
thereby obtaining a distribution on [0,1). Notice that / can be computed efficiently. Clearly, by 
starting from a uniform distribution on V{L*) we obtain the uniform distribution on [0, 1). Hence, 
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Figure 2: The line connecting the origin to w with if = 4 in two dimensions with V{vi,V2) and in 
three dimensions with the unit cube. 



it is enough to consider The distribution that we get on [0, 1) is given by: 

vol(5(r)) Js^r) ^ ' 

which is d{L*) times the average of 2L*,r(L) o^^r S{r). We claim that by choosing K to be large 
enough this average is very close to its value in rw G S{r). More formally, we claim that Ti{r) is 
exponentially close to 

\ _ , k + r{T{L),w) ^2 

where in the first equality we used the fact that {t{L),w) is integer and that the function does not 
change if we change the sign of {t{L),w). 

By using the mean value theorem we get that for any r € [0, 1) the difference between the 
maximum and the minimum values of T^-^riL) o^^r S{r) is at most: 

d,a.,{S(.)).max-(^j:e m., > ) < , ^ ^ ||„.|| . ^ 

^ ^ kez i=i ^ ' 

where the inequality is due to Claim 1X31 and the assumption that A(L) < < i. Hence, using 
Claim EH 

VrG[0,l) |Ti(r)-2|(,(i),^)|,^(i)2(r)| < • c • - ^ ||< || • -— = c • - J]] ||< || • — - 

i=l 1=1 

and by choosing K = 2^" we get that the statistical distance between Ti and T\(r{L),w)\,x{L)^ is 
exponentially small. 

Recall that w = J27=i "^i^) — Sr=i where all |aj| < 2^*^. Since {vi,v*) = 5ij, 

the inner product {t{L),w) is integer and its absolute value is at most n ■ 2^"^ • if" < 2'^^"'^ for a 
large enough Ch, as required. ■ 
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5 Analysis of the Public Key Cryptosystem 



Lemma 5.1 (Correctness) The probability of a decryption error is at most 2 ^('^m'' ^ plus some 
exponentially small terms. 

Note that the above probabihty is neghgible since 7(n) = u;{n^/logn). 

Proof: First consider an encryption of the bit 0. ProbabiUties are taken over the choices of the 
private and pubhc keys and the randomization in the encryption process. Let S denote the subset 
of indices which are included in the sum and let w := J2ies '^^ ™od N. Since Ylit^s o-i 1^ rn ■ N, 



w 



( ^~] Oj mod ] 



< m ■ \N — dlh'] I = m ■ d ■ frc(/i) < — d 

16 



and by the triangle inequality, 

frc(-) < - + frc(^-^^L ) = _ + frc(^) < ^ + ^ + frc(^ ^ 

ies 

where the last inequality uses \N ■ Zi — ai\ < 1. Notice that frc(^ X^ieS -^«) ~ ^^^Cl2ies(^i + Ui)) ~ 
frc(Eiesyi)- Hence, 

ie5 i&S 

where we used the fact that d is much larger than m. With probability exponentially close to 1, 
all strictly less than \h\ — 1. Conditioned on that, the distribution of yi is (5/3 and the 

distribution of J^iesVi 1 is Q\s\/3 where \S\P < m ■ (3 = 0{ (^^(^^yi )• Therefore, according to 

Claim IX?n the probability of fi'c(^.ggyj) > is at most 2"^^"'^^ and hence 

frc(^) < - + — (3) 
8 16 ^ ^ 

which is less than j, as required. 

The proof for the case of an encryption of 1 is similar. By using the fact that Xi^ is odd and 
that with probability exponentially close to 1, frc(?/jy) < we get frc(-^— ^^^) > ^ — ^ — ^- This, 
combined with @ gives 

r [aio/2j 111 

frc(-) > frc(^) - 8 - ^ > 4 

and the proof is completed. H 
Before establishing the security of the construction, let us prove a few simple claims. 

Claim 5.2 For any /i G N, /3 € M, let X,Y be two independent random variables; X is distributed 
uniformly over {0,^,...,^^^} and Y is normal with mean and variance Then Tfi^p is 

equivalent to the distribution of the sum of X and Y reduced modulo 1. 
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Proof: 



oo ^ 



k=—oo 



h—1 oo 



h~l ^ oo 



1=0 k=—oo 



l=0^kt^oo^ 



h _iLbL 
e P 



{r-k-{f 



Claim 5.3 For /i G N, Th^p + Qs mod 1 = T^^fs+sh^- 

Proof: According to Claim ^h,/3 can be viewed as the sum of two random variables X and Y 
reduced modulo 1. Therefore, T^^fs + Qs mod 1 = X + Y + Qs mod 1. But since both Y and Qs 

r+5 



are normal, their sum modulo 1 is exactly Q ii ,c and we conclude the proof by using Claim 15.21 
again. 



Definition 5.4 Given a density function X on [0, 1) we define its compression by a factor 6 > 1 
as the distribution on [0, 1) given by 

X{5r mod 1). 



X{6x mod l)dx 
We denote the result by CsiX). 

Using the above definition, Th^p is a compression of Q/j by a factor of h. Notice that if we can 
sample efhciently from X then we can also sample efficiently from its compression. This is done in 
a way similar to that used to sample from T^js. 

Claim 5.5 For any h £ N and 5 > 1, the compression of T^^p by a factor 5 is Tsh^p- 

Proof: The proof follows directly from the definition of Th,j3- ■ 

Claim 5.6 For large enough c, when choosing c ■ I numbers ai, . . . , Uc-i uniformly from to 2' — 1 
the probability that the statistical distance between the uniform distribution on {0, . . . , 2' — 1} and 
the distribution given by sums modulo 2' of random subsets of {ai, . . . , ac-i} is more than 2"' is at 
most 2~K 

Proof: Let Xt^b for t E {0, . . . , 2^-1}, b e {0, ly-^XO"-^ denote the event that X;-=i bitti = t (mod 2^ 
where the probability is taken over the choice of {ai, . . . , Oc-i}- Then, E[Xt^i)] = and < 
2"'. Hence, E[Yt] = = 2(^-i)-' - 2"^ where Yt denotes Ebe{o,i}-'\o-' ^t,b- Moreover, for 

b 7^ b' , the events Xt^ and Xt^b' are pairwise disjoint. Therefore, V[Yt] < ^ < 2^^~^^''' . Using 
the Chebyshev inequality, 

Pr 

and hence. 



Yt - (2('^-i)-' - 2-') > 2(^+1)-'] < 2-2' 
Yt - 2(^-1)-' > 2(^+^)'' + 2"'^ < 2" 
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Using the union bound, 

Pr (3t, Yt - 2('=-y-' > 2(^+^>' + 2"^) < 2"'. 

Therefore, with probabihty at least 1 — 2~' on the choice of {ai, . . . , Uc-i}, the number of subsets 
(including the empty subset) mapped to each number t is at most '"^^'^ + 2~' + 1 < 2^~2 '"2)'' 
away from 2^'^"^)''. This translates to a statistical distance of at most 

2(^+2)-' . 2-(c-i)-' < 2-' 

for large enough c. ■ 

Lemma 5.7 (Security) For cn > 2ch and large enough c^, if there exists a polynomial time 
algorithm A that distinguishes between encryptions of and 1 then there exists an algorithm B that 
distinguishes between the distributions U and T^^^^{n) ■ 

Proof: Let po be the acceptance probability of A on input ((ai, . . . , a^, io), it^) where w is an 
encryption of with the public key (ai, . . . ,am,io) ^-^d the probability is taken over the choice of 
private and public keys and the encryption algorithm. We define pi similarly for encryptions of 1 
and let p„ be the acceptance probability of A on inputs {(ai, . . . , am,io),w) where ai, . . . , a^, zq are 
again chosen according to the private and public keys distribution but w is chosen uniformly from 
{0, . . . , — 1}. We would like to construct an A' that distinguishes between the case where w is an 
encryption of and the case where w is random. According to our hypothesis, |po ^j^il > for 
some c > 0. Therefore, either \pQ — Pu\ > ^ or \pi — Pu\ > In the former case A is itself the 
required distinguisher. In the latter case A distinguishes between the case where w is an encryption 
of 1 and the case where w is random. We construct A' as follows. On input ((ai, . . . ,an,io),w), 
A' calls A with {{ai, . . . ,an,io),w + [^J mod N). Notice that this maps the distribution on 
encryptions of to the distribution on encryptions of 1 and the uniform distribution to itself. 
Therefore, A' is the required distinguisher. 

Let po{ai, . . . ,am,io) be the probability that A' accepts on inputs ((ai, . . . , am, io),w) where 
the probability is taken only over the choice of w as an encryption of with the fixed public key 
(ai, . . . , am, io)- Similarly, define Puiai, . . . , am, io) to be the acceptance probability of A' where w 
is now chosen uniformly at random from {0,...,A'^ — 1}. Define 



Y = < (ai, . . .,am,io) 



\po{ai,. . . ,am,io) - Pu{ai, ■ ■ ■ ,am,io)\ > ^ 

By an averaging argument we get that with probability at least ^ on the choice of (ai, . . . , a^, zq), 
(oi, . . . ,am,io) & Y for otherwise A' would have a gap of less than 

In the following we describe the distinguisher B. We are given a distribution R which is either 
U or some Tf.^g G T„y^^,(„) with an integer h < 2^^™ < and a real /3 G [(:^(^, 4^^^^^-). 

Note that neither h nor fj are given to B. Our goal is to construct B such that the acceptance 
probability with U and the acceptance probability with Th^p differ by a non-negligible factor. We 
first choose h uniformly from the set {1, 2,4, ... , y/N}. In addition we choose S uniformly from the 
range [VN /h, 4\/]V /h) and s uniformly from the range [0, 7 ^^^^^^^^2 )■ Then, consider the distribution 
R' = Cs{R + Qs'^s/N mod 1), i.e., we first add a normal variable to R and then compress the result 
by a factor of S. We take m samples ai,...,am from [N ■ R' \ and let io be chosen randomly 
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from [m]. We estimate po{ai, ■ ■ ■ , am,io) and Pu{cLi, . . . , Om, ^o) by computing many values w either 
according to the encryption algorithm or randomly and then calling A'. By using a polynomial size 
sample, we can estimate the two probabilities up to an error of at most If the two estimates 

differ by more than B accepts. Otherwise, B rejects. 

We first claim that when R is the uniform distribution, B rejects with high probability. The 
distribution R + Qs^s/n niod 1 is still a uniform distribution on [0, 1) and so is R' as can be 
easily seen from the definition of the compression. Therefore, oi, . . . , are chosen uniformly from 
{0, 1, . . . , — 1} and according to Claim if Cm is a large enough constant then with probability 
exponentially close to 1, the distribution on w obtained by encryptions of is exponentially close 
to the uniform distribution on {0, 1, . . . , — 1}. Therefore, since A' can be seen as a function on 
w, \po{ai, . . . , Um, io) — Puio-i, • • • 1 flm, ^o)| is also exponentially small and B rejects. 

Now assume that R is the distribution Th^p for some fixed h and f3 and we claim that B accepts 
with non-negligible probability. Then, according to Claim EIHl R + Qs^s/N mod 1 is T^^p-\-(^sh)'^s/N- 
Hence, according to Claim [531 R' is Tsfi^p^(^sh)^s/N- L^t X denote the event that h < h < 2h, 
6h E [VN,2VN), frc(5/i) < and P + {5hfs/N G [4^:^,8^:^). We now show that 

the probability on our choice of h,S,s that X happens is at least poiy(^n) ■ First, with probability 



^^^^^j = ^j;^, h <h <2h. Now, 6h is uniformly distributed in [h/h ■ VN, Ah/h ■ VN). Therefore, 

conditioned on h < h < 2h, the probability that 6h G [\/iV, 2-v/iV) is at least ^. Moreover, 
conditioned on h < h < 2h and 6h G [\/iV, 2\/iV), the probability that frc(5/i) < is g^. For 
any fixed 5h G [Vn,2^/N), {5hf /N G [1,4) and therefore /3 + {5hfs/N is distributed uniformly 
in [/?, (3 + {ShY /N ■ -p^^^jp-). The length of this range is at most 4 • (^^^-^yA and it always contains the 
range [4 ^^^^^y^ ,8 ^^^^-^y^ ) (because /? G [(^(^, 4^^^^^-)). Therefore, the probability on the choice 
of s that f3 + {6hfs/N G [4 

(7(n)F' ^ (7(n))^ ) least ^ = 7- To sum up, the probability of X is 

Notice that conditioned on X, the distribution of 5h and (3 + {5h)'^ /N is the same as the 
distribution of h and /? in the choice of the private and public keys. Therefore the probability that 
(ai, . . . , Om, ^o) G y is at least 

Fi{X) ■Fi{3io,{ai,..., am, io)eY\X)-->FT{X)--^^ ^ ^ 



m An'^ m poly{n) 

But when (oi, . . . , am, io) £ Y, 

\po{ai, . . ■,am,io) - Pu{ai, ■ ■ .,am,io)\ > ^ 

and therefore our estimates are good enough and B accepts. ■ 

By combining the two lemmas above we get. 

Theorem 5.8 For cn > 2ch and large enough Cm, the public key crypto system described in Section\^ 
makes decryption errors with negligible probability and its security is based on \fn- ^{n)-uSVP. 



6 Analysis of the Collision Resistant Hash Function 

Claim 6.1 Let Xi, . . . ,Xm be m independent normal random variables with mean and standard 
deviation a. For any vector b G M™, the random variable X^I^i hXi has a normal distribution with 
mean and standard deviation \\b\\ ■ a. 
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Proof: The joint distribution (Xi, . . . ,Xm) is a Gaussian distribution in M"* which is invariant 
under rotations. Hence we can equivalently consider the inner product of (||&||, 0, . . . , 0) and a 
Gaussian distribution. We complete the proof by noting that the first coordinate of the Gaussian 
has a normal distribution with mean and standard deviation a. ■ 

Definition 6.2 For any /i € Z, E M and any a E [0,1) we define the following two density 
functions on [0,1): 



h 



f 

S'h,i3,a{f) ■= Th,f3{a + ^) = Q/3(a -h + r mod 1). 
Claim 6.3 Ifh<h<{l + 5)h where h e Z, h e R, 6 > and (3 < I then A(5^ ^ ^ ^, S'f^ ^^ J < -§5. 

Proof: According to ClaimEJl Th,/3{x) = Qpihx mod 1) < (1 + Vl3)/V^ < for any x E M. 

Therefore, 



ra+l/h j-a+l/h 2 1 1 

Th,/3{x)dx < 



J a J a 



VP h h VP-h ri 



%(^i)< 
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But f^^^^'^ Th^i3{x)dx = and therefore we see that 



a+l/h 2S 

Th,(3{x)dx < -j=. 



Sl^^p^^r) ■.= n,pia + r/h). Then, 





~ f 


dr = 


l-h 




J a 



a+l/h 



1 - h 



a+l/h 



Th,i3{x)dx 











< 




+ 






h 





Th,p{x)dx 

a+l/h 



Th,i3{x)dx 



Sh,h,f3,a('-)dr 



Now, using the mean value theorem for any r E [0, 1), 



1 1, 



h h' 



- — — ) max 

h h ^ 



k=—oo 



dx VP 



which, according to Claim using -j^ > 2 > —k= + 1, is at most 



To sum up. 



(---\ — — = ^(1 --)< 

h' VP VP P h^- P ' 



dr 
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Theorem 6.4 For cn > 2ch and CLTiy Cm ^ Oj if thcTC exists CLTi dlgovithfTi ^ that given a list 
ai, . . . , am £ {0, 1, . . . , — 1} finds a nonzero vector b S Z™ such that \\b\\ < y/m and ^^^i biOi = 
O(mod N) with probability at least n^'^" where Ca > is some constant then there exists a solution 
to ^Jn ■ 'y{n)-uSVP. 

Note that in particular, if 6 G {—1,0, 1}"* then \\b\\ < yjm and hence this theorem includes collision 
finding algorithms. 

Proof: According to Theorem 14.11 it is enough to construct a distinguisher B between U and 
Vn-7(n)- The distinguisher B works by calling the routine C described below n times with each 
value /i = (1 + n~'^h)*j i g [log^_|__^-cj^ N\. The constant will be specified later. If there exists an 
h for which all n calls to C accept, B accepts. Otherwise, for any h there exists one call where C 
rejects and B rejects. 

The routine C(/i) samples m values xi, . . . , x^a from the given distribution which we denote by R. 
It also chooses m values yi, . . . ,ym uniformly in [0, l/h). Let zi = Xi — yi mod 1 and ai = YN ■ Zi\ . 
We call A with oi, . . . , am- If A fails we repeat the process again (choosing Xi,yi and calling A). If 
after n'^"'^^ calls A still fails, C accepts. Otherwise, we have a vector b £ such that ||6|| < ^/m 
and 1 bitti = O(mod A^). The routine C{h) accepts if frc(^^;^ bihyi) < ^ and rejects otherwise. 

First we show that if R is the uniform distribution then for any h, C{h) accepts with probability 
roughly ^. From this it will follow that the probability that n calls to C{h) accept is exponen- 
tially small, i.e., B rejects with probability exponentially close to 1. Each number xi is uniform 
in [0, 1) and so is zi. Therefore, each is uniform in{0,l,...,A^ — 1} and according to our as- 
sumption, A succeeds with probability at least n~'^^. The probability that n'^^^^ calls fail is at 
most (1 — 71"'^=)"''''^^ < e~" which is exponentially small. In order to bound the probability that 
bihyi) < I we use the fact that A is oblivious to the decomposition of the Zj's into Xi — yi 
and would work equally well if Zi = x'^ — y\ for some other x\^y\. Consider the following equivalent 
way to create the joint distribution of Xi,yi, Zi'. we first choose the Zj's uniformly in [0, 1) and then 
choose yi uniformly in [0, l//i) and choose Xi to be Zi + y^ mod 1. Hence, conditioned on any 
values for the Zj's, the distribution of the yiS is uniform in [0, l/h) and therefore frc(^™ ^ bihyi) is 
distributed uniformly in [0, ^). The probability that frc(^™ bihyi) < \ \s therefore \, as required. 

Now consider the case that R is T^^p where (3 < ^^^^^^^ . We claim that when h is the smallest 

such that h > h, C{h) rejects with probability at most cmn^^^~'^h. Therefore, the probability that 
B sees a rejection after n calls is at most cmn^'^T"'^^"'"^ and it therefore accepts with probability 
close to 1 if we choose a large enough c^. Notice that such an h satisfies h < h < (1 + n~'^f<)h. 
As before, we create the joint distribution of Xi,yi,Zi by first choosing Zj and then yi. This would 
allow us to use the fact that A is oblivious to the decomposition of Zi to Xi — yi. So we first choose 
the Zi's from their unconditional distribution and then consider the distribution of yi conditioned 
on Zi given by: 

— — Th,f,{zi + r) VrG[0,^). 

i::-''^'T,Ax)dx h 

Hence the density function of the distribution h ■ yi is exactly According to Claim 

the statistical distance between Sj^j^^^, and S'^^ ^ is at most ■|n~'^h < cn^'^T"'^^. Let ^i,...,^^ 
be m random variables chosen independently according to Qp. Notice that the distribution of 
the random variable ^i — h ■ Zi is exactly S^^^,. Hence, according to Claim IX!6l the statistical 
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distance between the joint distributions {h ■ yi, . . . , h ■ ym) and {S^i — h ■ zi, . . . ,S^rn — h ■ Zm) is at 
most cm ■ Now, 

m mm 

'^bi{^i - h ■ Zi) mod 1 = ^ h^i - '^h- h - Zi mod 1 

i=l i=l i=l 

According to Claim 16.11 X^i^i ^i^i ^ normal distribution with mean and standard deviation 
11^*11 • < < y^^^jp- = o( ^iog„ )- Therefore, according to Claim lA. 11 the probability that 

frc(X]ili bid) > I is neghgible. Now, 

m m ^ h ^ h ^ h h 

frc(^ bi-h-Zi)= frc(^ —biN ■ Zi) < frc(^ ^biOi) +^j;^-bi = ^j;^-bi<m- — - ^m. 

i=l i=l i=l 1=1 i=l 



Therefore, except with negligible probability, 

m 1 h 1 

frc(^ biid - h ■ Zi)) < - + m • j^Vm < - 



1=1 

-,2 



where we used the fact that h < 1'^'"^ < yiV- This implies that the probability that frc(^^j^ bihyi) < 
I is at most cm • n?'^'^~'^'" plus some negligible amount. H 



7 Quantum Computation 

In this section we show a result related to a problem in quantum computation known as the 
dihedral hidden subgroup problem. One reason this problem is interesting is because, under certain 
conditions, solving it implies a quantum solution to uSVP In Ettinger and H0yer reduced 
the problem to the problem of finding an integer k given access to the distribution where 
Pr(Zfc = z) = 2/N ■ cos'^{7rkz/N) for z = 0,1, . . . , N — 1. They presented an exponential time 
classical algorithm that uses only a polynomial number of samples of Z^. Hence, a polynomial 
number of samples contains enough information to find k. The question of whether there exists an 
efficient algorithm remained open. In this section we will show that a solution to their problem 
implies a solution to n'^-uSVP for some c. 

We start by extending Theorem l4.1l to more general periodic distributions. Let D be a distribu- 
tion on [0, 1) such that its density function satisfies D{r) < cd and \D{r) — D{r + e mod 1)| < cqe 
for all r, e G [0, 1) for some constant cq. For /i G N, define 

(r) = D{rh mod 1) 

to be the distribution on [0, 1) given by h periods of D. Moreover, define 

= |rf I /iGN, /i<2^'^"'}. 

where Ch is the constant from Lemma 14.91 and n is the size parameter of the problem. 

Lemma 7.1 If there exists a distinguisher between U and Tj^ then there exists a solution to n'^- 
uSVP for some c > 0. 
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Proof: Assume ^ is a distinguisher between U and 7^ and assume that it uses n'^'^ samples of 
the given distribution for some ca > 0. Let pu denote the acceptance probabiUty of A on inputs 
from distribution U and for /i G N let ph denote its acceptance probability on inputs from T^. 
According to our hypothesis \pu — Ph\ ^ n~^'^ for all h G [2'^'^" ] for some constant Cd > 0. 

We construct a distinguisher B between U and 7^,n= foi' some large enough c > 0. The lemma 
then follows from Theorem 14.11 Let R denote the given distribution. First, B chooses a value h 
uniformly from the set {1, 1 + /i, (1 + //)^, . . . , 2^^^" } where = n"^'' for some constant > to 
be chosen later. Then, define the distribution R' as 

B! = R+S- mod 1, 
h 

i.e., a sample from R' is given by x + r/h mod 1 where x is chosen from R and r is chosen from D. 
It then estimates the acceptance probability of A using sequences of samples from R' each of length 
n'^'^. According to the Chernoff bound, using a polynomial number of sequences, we can obtain 
an estimate that with probability exponentially close to 1 is within of the actual acceptance 
probability. If the estimate differs fromp^ by more than ^ accepts; otherwise, it rejects. This 
completes the description of B. 

When R is the uniform distribution then R' is also the uniform distribution. Therefore, with 
probability exponentially close to 1, B^s estimate is within of pu and B rejects. Hence, it is 

2 

remains to show that B accepts with some non-negligible probability when R is Th^/s where h < 2'^*'" 
and /9 < n~^'^ for some large enough cp. 

Consider the event in which h < h < (1 + fj,)h. Notice that it happens with non-negligible 
probability since h is chosen from a set of size polynomial in n. The following claim will complete 
the proof by showing that the statistical distance between R' and is smaller than n~'^'^~'^'^ /A. 
Using Claim it follows that the statistical distance between a sequence of n'^'^ elements of R' 
and a sequence of n'^'^ elements of is at most n~'^''/A. Finally, using Equation^ this implies that 
.A's success probability on sequences from R' is within n~'^<'/4 from p^ and since \pu — Ph\ ^ n~'^'', 
B accepts. 

Claim 7.2 For h as above and for large enough Cj3 and c^, the statistical distance A{R',T^) < 
Proof: Consider the distribution R" given by 

R" = n^p + j. 

The distribution R" can be seen as a random function of the distribution D: given a value r € D 
sample a value x from Th^p and output x + r/h. Notice that R' is given by applying the same 
function to the distribution {h/h)D. Hence, using Equation Q 

A{R',R") < A{D,^D) = / \D{r) - D{-r)\dr + D{r)dr 

h Jo " Jh/h 

h. , h. 

< cd(1--) + (1- ~)CD 

n n 

< 2cd// = 2cDn-'='^. (4) 
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We next bound the statistical distance between Tj^ and R" . Let X be a random variables 



distributed uniformly over {0, t, • • • , \r-^- Then, it can be seen that 



D 

X + — mod 1. 

h 



Now, let Y be another random variable distributed normally with mean and variance Then, 
as in Claim Em T/^^^ = X + Y/h mod 1 and hence, 

Y D 

R" = X + — + — mod 1. 
h h 

Therefore, can be seen as a random function applied to a sample from while R" can be seen 
as the same function applied to a sample from ^ + From Equation ^ it follows that 



A{T/^, R") <^[\d, ^{D + Y)] = A{D, D + Y). 



(5) 



Let Y' be the restriction of a normal distribution with mean and variance to the range 
[—n\/]3,n\/^. More formally, 

Y'{r) = Y{r)/ / Y{r)dr 

for r G [—n^/J3 , ny/JJ\ and Y'{r) = elsewhere. From Claim TKaI it follows that the distribution of 
Y is very close to that of Y': 



A{Y,Y') < \[^ ■ - 
V vr nV27r 



(6) 



Now, using the fact that Y' always gets values of small absolute value, 



\D{r) - {D + Y'){r) 



< 



D{r) 



D{r — x)Y' {x)dx 



\D{r)-D[r-x)\Y'{x)dx 



/""VP 

< ConyT? / Y'{x)dx 



Since both D{r) and {D + Y'){r) are zero for r < —ny/P and for r > 1 + n^/P, 
A{D,D + Y') 



\D{r) - {D + Y'){r)\dr 

l-n^ 



(7) 



for large enough c/j . Finally, combining Equations 21 El El 13 and using the triangle inequality, we 
obtain 

A(i?',Tf ) < 2cDn-^'^ + 2~^("') + 2cDn^-^'3/2 < n-^^-^'/'i 
for large enough c/j and c^. H 
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This completes the proof of Lemma l7. II 



We can now prove the main theorem of this section. 

Theorem 7.3 For k e N, k < N, define the distribution Zk by Pv{Zk = z) = 2/N ■ cos^ {irkz/N) 
for z = 0, 1, ... — 1. Assume there exists an algorithm A that given a polynomial (in logN) 
number of samples from Z^, returns k with probability exponentially close to 1. Then, there exists 
a solution to vf-uSVP for some c. 

We remark that it is possible to relax the assumptions of the theorem. It is enough if the algorithm 
returns k with non-negligible probability. Also, it is enough if the algorithm finds k only for some 
non-negligible fraction of all possible k's. 

Proof: Let D be the distribution on [0, 1) given by D{r) = 2cos^(7rr). An easy calculation shows 
that the absolute value of its derivative is at most 47r. Therefore, it satisfies the conditions stated 
before Lemma lTni with cd = 47r. Using Lemma lTm it is enough to show how to distinguish between 
U and T^. 

Given an unknown distribution R, let R' be the distribution given by [N ■ R\ where N is chosen 
to be large enough, say, 2'^'^^^ . We call A with enough samples from R' and obtain a value k. 
Finally, we take one sample r from R and accept if frc(rA:) < 1/4 and reject otherwise. 

First, consider the case where R is the uniform distribution. Then no matter which value of k 
we obtain, the probability that frc(rA;) < 1/4 is exactly 1/2. Now consider the case where R is 
for some h < 2'^^"' . For any r = 0,...,A^ — 1, the probability that i?' = r is given by 



l-{r+l)/N r{r+l)/N 

/ D{hx mod l)dx = / 2 cos^(7r/ix)(ix. 

Jr/N Jr/N 



From the bound on the derivative of D mentioned above, we obtain that the distance of this integral 
from 2/A^ • cos^{-Khr /N) is at most An'^h/N'^. Therefore, the statistical distance between R' and Z^, 
is 

A{Zh,R') < y •4^2^/iV2 ^ 2-^(n2)_ 

Since the number of samples given to A is only polynomial in n, its input is still within statistical 
distance 2"^^"^^ of Zh and it therefore outputs h with probability exponentially close to 1. Then, 
the probability that hc{rk) < 1/4 is given by 



f^/'^ 2 11 

/ 2 cos {■Kr)dr = — | . 

J-i/4 2 vr 
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A Several Technical Claims 



Claim A.l The probability that the distance of a normal variable with variance from its mean 
is more than t is at most \/ ^ ■ ^e 2^ . 



TT t ' 



Proof: 



/ ^dx< / (1 + ^)^= 

Jt V2^a Jt x^' 



2 1 _ x2 1 

e 2^dx = 

2iTa V27r(7 x 



(72 

— e 2^ 



■e 



x=t 



2lTt 



Claim A.2 



feez 



Proof: Let fc' G Z be such that \kr + x\ is minimized. Then, 



1 + - / e- 
r 



-^y^dy = 1 + - 



k&\{k'} 

1 

r 



k&I\{k'} 



where changing the sum to an integral is possible because the sum can be seen as the area under 

2 

a function that lies completely below e"'^^ . ■ 
Claim A.3 For any a,x e'R and any b > + I, £ T.k& e-''('''=+"^)' 
Proof: Let z denote a ■ x. Then, 



< ca 



dx ^ 



A. \^ ^-7r{bk+zf 

dz^ 



k& 



< 



fcez 
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In the following we will upper bound 



|27r(6A: + y)e-'^(^'=+2/)= 

fee{o,i,...} 

where y G [0, 6]. The upper bound for the original expression is clearly at most 2a times this value. 
The function |27rye""'^^ | is increasing from to where it attains the maximum value of \/27re. 
After that point it is monotonically decreasing. Hence, 



feeN 



27rye 



-Try 



+ |27r(6A; + y)e-'^('''=+^)' 

fce{i,2,...} 



< 



VlTTye 



\dy 



'2'Ke + 1 



where changing from summation to integration is possible because 6 > 1 and because the function 
is decreasing from -k= and the first y in the sum is at least -k — hi. ■ 

V ^TT V ^TT 



Claim A. 4 Let L he a lattice and let f : — > M 6e periodic on L, i.e., f{x) = f(x + y) for all 
X G and y & L. Then, for any two bases vi, . . . ,Vn and ui, . . . ,Un of L, 



I f{x)dx = / f{x)dx. 

J'P{vi,...,Vn) J'P{ui,...,Un) 



Proof: One can get from one basis of a lattice to any other by a finite sequence of operations of 
the following two types: replace vector Vi by —Vi and replace vector Vi by Vi + Vj for some i 7^ j. 
Hence, it is enough to show that the integral is invariant under these two operations. Define the 
following 'half parallelepipeds: 



Vi = (Y I «i € [0' 1)' "2 > ai} 

i=l 
n 

V2 = OiiVi I ai G [0, 1), a2 < ai} 



1=1 



Vz = (Y (^i'^i + V2\ [0, 1), 02 < ai} 



Note that V{vi, . . . , Vn) is equal to Vi U V2 and V{vi + V2, V2,-- - , Vn) =ViU Vs. But since V3 is a 
shift of V2 hy V2 & L, 

[ f{x)dx =1+1 f{x)dx =1+1 fix)dx = [ 
Jp{L) JVi JV2 JVi JVs JV( 

A similar argument shows that the integral is invariant under negation of basis vectors. 
Claim A. 5 For any vector v E L, 



''P{vi+V2,V2,...,V„) 



f{x)dx. 



e-^^^^^ dx = \\v\\d{L*). 
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fix) ■.= Y.e 



ll"ll ' . 



Proof: Define 



Notice that for any w G L*, f{x) = f{x + w) since {v,w) £ TL and hence / is periodic on L*. 
Consider the basis for L* given by any basis of the lattice L* n and any vector w in L* such 
that = 1. Let V denote the corresponding parallelepiped. Then, using Claim ^31 



/ f(x)dx = [ f{x)dx = -i- / f 
Jv(L*) Jv Pll ^0 JV{ 

I'^ll JQ Jvnu\(v.v)=a\ rri 



f{x)dx da 

IV{L') Jv ir^ll ^0 JVr\{y\{y,v)=a} 



^ C \\v\\d{L*) ■Y.e""''^'^^ da 

d{L*) Ve~"^lM^'(ia = d(L*) H e"''^^\^^ da = \\v\\d{L*] 

Jo ,.^n, J-OO 



Claim A. 6 Let Xi, . . . , Xm, Yi, . . . , Ym be mutually independent random variables. Then the sta- 
tistical distance between the joint distributions satisfies 



A((Xi, . . . , (n, . . . , y„)) < ^ A(X„ Fi)- 



1=1 



Proof: We consider the case m = 2. The claim follows for m > 2 by induction. According to the 
triangle inequality, 

A{{Xi,X2),(Yi,Y2)) < A{{Xi,X2),{Xi,Y2)) + A{{Xi,Y2),{Yi,Y2)). 

Since Xi is independent of X2 and Y2, 

A{{Xi,X2),{Xi,Y2)) = A{X2,Y2) 

and similarly 

A{{Xi,Y2),{Yi,Y2)) = A{Xi,Yi). 



Properties of an LLL reduced basis 

Claim A. 7 Let B = ibi,j)i<ij<n be an n x n upper triangular matrix such that for all i < j < n, 
\bi i\ < \bjj\. Then, the entries of {B^)~^ have an absolute value of at most . ^i, — ,2". 

Proof: First, let D denote the diagonal matrix with values bi^i on the diagonal. Then B can 
be written as MD where M is an upper triangular matrix with ones on the diagonal and all 
other entries have an absolute value of at most 1. Then, {B'^)~^ = [D^ M'^)~^ = {M'^)~^ . 
Therefore, it is enough to show that the entries of L := (M-^)^^ have absolute values of at most 1. 
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The diagonal of L is all ones and it is lower triangular. The entry /jj- for i > j can be recursively 
defined by —J2j<k<i^k,jn^k,i- Therefore, 



j<k<i 



j<k<i j^k<i 



from which we get the bound < 2* for i > j. 



Claim A. 8 Let (vi, . . . , Vn) be an LLL-reduced basis of a lattice L and let Y17=i ^i'^i shortest 
vector. Then \ai\ < 2^" for all i G [n] and A(L) < ||wi|| < 2"A(L). Moreover, if {vf, . . . ,v^) is the 
dual basis, then \\v*\\ < ]^^2^"' for all i G [n]. 



Proof: Let {v\, . . . ,Vn) denote the Gram-Schmidt orthogonalization of {vi, . . . ,Vn); 
component of Vi orthogonal to the subspace spanned by vi, . . . , I'j-i. Clearly, {v\,Vj) 



i.e., v\ is the 
= for i > j. 

2 

. In 



< m 



Recall that in an LLL reduced basis \\v\\\ < \/^\\vj^-^\\ and for i < j, { 

addition, recall that miuj \\vj\\ is a lower bound on A(L). Then for any i G [n], < 2(*~-'^)/^||?;t| 
and therefore \\vl\\ < 2("-i)/2A(L). But since v\ = vi we see that A(L) < < 2"A(L). Consider 



the representation of (t^i, . . . , w,, 
columns of the matrix B = {bij)i<i_j<n 
triangular and that its diagonal is bi^i 



in the orthonormal basis {v\/ 



where h 



\v 



It is given by the 
Notice that this matrix is upper 



Also note that by the properties of an LLL reduced 



basis, \bij\ < ^\\vl\\ for i < j. The shortest vector is Y17=i ^i'^i ~ Yll^=iiYl^=i / W'^iW- Since 



its length is at most 2"||7;J|| the absolute value of each of its coordinates is at most 2"||u^ ||. Hence, 
X^j=iOj^ij < 2"||uJ|| for every i G [n]. By taking i — n we get that |onfenn| ^ ^"11^™ 1 1 ^-iid hence 
a„| is at most 2". We continue inductively and show that \ak\ < 2^""^^. Assume that the claim 



„ti 



holds for afc+i, . . . , a^. Then, | 



1 o2n-fc|U,t 



— 2\ 



.,t| 



2 

2n 



.,t| 



v\\. By the triangle inequality, |afc&fc,fc| < I Ej=A:+i Oi^fcjl + I Y., 



< 2 



2n—k ||„,t 



j=k+l 

j=k o-jbkj 



„t| 



< 



and the proof of the first part is completed. 



< (i22"-'= + 



The basis of the dual lattice is given by the columns of {B^ ) ^. Since miuj \ bi^i\ > and 



< 



-'1,1 1 ) 



Claim implies that the entries of (B^) ^ are at most ^^^^2^" in absolute value 



Therefore, the length of each column vector is at most ^^2^". 
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